Security researchers at Rapid7 are warning about multiple secuirty vulnerabilities impacting Baxter’s Sigma Spectrum infusion pumps, including issues that could lead to the leakage of credential.
In an advisory published Thursday, Rapid7 called attention to five vulnerabilities found in Sigma Spectrum infusion pumps and the Sigma WiFi batteries.
The Sigma Spectrum infusion pumps have been designed so that, when powered up after a WiFi battery is connected, unencrypted data is sent to the battery via universal asynchronous receiver-transmitter (UART).
Because of that, the transmitted data is potentially at risk of compromise by attackers with access to the infusion pumps, who could either place a communication shim between the units to capture the data, or could use their own battery to exfiltrate data.
The first block of transmitted data contains the WiFi configuration information, which is then stored on the battery’s non-volatile memory. An attacker able to attach their own battery to a pump could then extract from the unit credentials that allows them to access an organization’s WiFi network.
Tracked as CVE-2022-26390, the flaw could also result in credential leaks if the battery’s non-volatile memory is not overwritten before the unit is decommissioned, Rapid7 explained.
“When the devices are de-acquisitioned and no efforts are made to overwrite the stored data, anyone acquiring these devices on the secondary market could gain access to critical WiFi credentials of the organization that de-acquisitioned the devices,” the company said.
Rapid7 also discovered a format string vulnerability impacting the ‘hostmessage’ command of a telnet session on the Sigma WiFi battery (CVE-2022-26392). If `settrace state=on` is enabled, an attacker could view the output from the vulnerability by entering a specific command during a telnet session.
Another format string vulnerability on the WiFi battery can be triggered by setting up a WiFi access point with a SSID containing format string specifiers, and then sending a `get_wifi_location (20)` command to the infusion pump via XML, at specific ports.
Tracked as CVE-2022-26393, the vulnerability is triggered when the device processes the SSID name of the access point. An attacker within radio range could exploit the issue to potentially read and write arbitrary memory, or, at a minimum, to cause a denial of service (DoS) condition.
Rapid7 also warned that the Sigma GW IP address could be changed remotely on all tested WiFi battery units, without authentication (CVE-2022-26394). The SIGMA GW is used for setting the back-end communication services for the device.
An attacker could exploit this vulnerability by sending an XML command 15 to TCP or UDP port 51243, allowing them to eavesdrop on all communications initiated by the infusion pump (a man-in-the-middle (MitM) attack).
Organizations are advised to restrict physical access to the infusion pumps or Wi-Fi battery units, as well as to plug batteries into a unit with invalid or blank credentials to overwrite their non-volatile memory and prevent credential leaks.
In addition, organizations should restrict access to the network segments to which the infusion pumps are connected, as well as monitor network traffic for unauthorized communication over TCP and UDP port 51243 to infusion pumps.
Baxter manufactures and markets a variety of healthcare and pharmaceutical products, including infusion systems. The company’s Sigma Spectrum infusion pumps are TCP/IP-enabled devices commonly used in healthcare facilities to administer medication and nutrition to patients.
Ionut Arghire is an international correspondent for SecurityWeek. Previous Columns by Ionut Arghire:Tags: